How to automate EBS encryption with Elastic Beanstalk
How to automate EBS encryption with Elastic Beanstalk
I am looking to encrypt my root EBS volumes for new EC2 environments that I create. I know that I can do this from the AWS console and from CloudFormation, but would like to be able to do so via an Elastic Beanstalk config file.
I have tried by setting the EBS volume in the launch configuration, however this only creates additional volumes from the root volume:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
BlockDeviceMappings: [ DeviceName: "/dev/sdf1", Ebs: Encrypted: true, VolumeSize: 8, VolumeType: gp2]
I have also tried to create a new EBS volume on environment creation, however I am unsure how to dynamically get the EC2 instance's logical name (I used MyEC2 here for reference):
Type: AWS::EC2::Volume
Properties:
AutoEnableIO: true
AvailabilityZone: "Fn::GetAtt" : [ "MyEC2", "AvailabilityZone" ]
Encrypted: true
KmsKeyId: mykey
Size: 8
VolumeType: gp2
Essentially I need to be able to create a new environment with an encrypted root volume. Any help would be greatly appreciated!
I believe the availability zone is the only place. Since this is Elastic Beanstalk, I don't have any other configuration aside from this snippet. I believe if I was using Cloud Formation it would be simple to get the name from
– McLovin
Sep 11 '18 at 15:50
With the first approach, what is the outcome? Is it creating, but it's not encrypted?....or is the template not working?
– Nune Isabekyan
Sep 12 '18 at 10:09
The first approach will create a new volume, however the root volume is still attached which is unencrypted and in use
– McLovin
Sep 12 '18 at 22:07
I don´t know if this is possible for EBS at least automatically using .ebextensions but sure it is for EFS which has been designed having scalability on mind. EFS filesystem can be created and mounted in multiple AZ/Subnets allowing traffic from the default AWS Elastic Beanstalk instance security group. github.com/awsdocs/elastic-beanstalk-samples/blob/master/… github.com/aws-samples/eb-php-wordpress/blob/master/…
– Oscar Nevarez
Sep 13 '18 at 22:13
1 Answer
1
You cannot specify to encrypt a root volume using either CloudFormation or Beanstalk. The key is to use an AMI that has an encrypted root volume. This means copying the AMI that you want to use and encrypting it during the AMI copy process. Once you have an encrypted AMI, you would use that AMI Id in CloudFormation or Beanstalk to launch instances.
To encrypt a root volume:
This is the only method available on AWS to encrypt the root volume on an EC2 instance. Once you have an encrypted AMI, you can use this with any service where you can specify the AMI ImageId to create instances.
The encrypted volume will use KMS to manage the encryption keys. Note: there is a minor charge for each KMS key and usage charges.
You can also create an encrypted AMI using the CLI.
aws ec2 copy-image -r source_region -s source_ami_id
[-n ami_name] [-d ami_description] [-c token]
[--encrypted] [--kmsKeyID keyid]
Do not use AMIs created from snapshots when creating an encrypted AMI. AWS states that this can cause boot failures.
For Elastic Beanstalk here is a link to use a custom AMI:
Using a Custom Amazon Machine Image (AMI)
Thanks for contributing an answer to Stack Overflow!
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
is the availability zone the only place where you need the EC2 logical name? Can you post your full launch configuration?
– Taterhead
Sep 11 '18 at 5:37